diff --git a/.gitignore b/.gitignore index 66072cd2f..e712a00ef 100644 --- a/.gitignore +++ b/.gitignore @@ -14,6 +14,9 @@ config* *Release/ *.ncb *.suo +*.sdf +*.opensdf +ipch/ build-aux/ rpm/spec stamp-h diff --git a/IDE/iOS/README.md b/IDE/iOS/README.md index 0c20d3fa7..e9e781b49 100644 --- a/IDE/iOS/README.md +++ b/IDE/iOS/README.md @@ -66,7 +66,6 @@ for "Preprocessor Macros" and add the following under both `Release` and * `HAVE_AESGCM` * `WOLFSSL_SHA512` * `WOLFSSL_SHA384` -* `NO_PWDBASED` -- for now, can drop later # Using the FIPS library @@ -80,3 +79,8 @@ libraries like this, so static builds are required. This creates a problem. Every time the application is changed, the FIPS checksum will change, because the FIPS library's position in the executable may change. +You need to add something to your application that will output the verifyCore +value to be used. The verifyCore in fips_test.c will need to be updated with this +value, the library rebuilt, and relinked into your application. The application +should not be changed during this process or the verifyCore check will fail again. + diff --git a/README b/README index 380575265..d9e982f38 100644 --- a/README +++ b/README @@ -34,6 +34,9 @@ before calling wolfSSL_new(); Though it's not recommended. *** end Notes *** +- GNU Binutils 2.24 ld has problems with some debug builds, to fix an ld error + add -fdebug-types-section to C_EXTRA_FLAGS + wolfSSL (Formerly CyaSSL) Release 3.4.6 (03/30/2015) Release 3.4.6 of wolfSSL has bug fixes and new features including: diff --git a/README.md b/README.md index 65be1b0f2..59c77e37c 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,9 @@ wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); before calling wolfSSL_new(); Though it's not recommended. ``` +- GNU Binutils 2.24 ld has problems with some debug builds, to fix an ld error + add -fdebug-types-section to C_EXTRA_FLAGS + #wolfSSL (Formerly CyaSSL) Release 3.4.6 (03/30/2015) ##Release 3.4.6 of wolfSSL has bug fixes and new features including: diff --git a/configure.ac b/configure.ac index 1aca401dc..45a687368 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([wolfssl],[3.4.6],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) +AC_INIT([wolfssl],[3.4.7],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) AC_CONFIG_AUX_DIR([build-aux]) @@ -165,6 +165,13 @@ then fi +# High Strength Build +AC_ARG_ENABLE([maxstrength], + [AS_HELP_STRING([--enable-maxstrength],[Enable Max Strengh build, allows TLSv1.2-AEAD-PFS ciphers only (default: disabled)])], + [ENABLED_MAXSTRENGTH=$enableval], + [ENABLED_MAXSTRENGTH=no]) + + # IPv6 Test Apps AC_ARG_ENABLE([ipv6], [ --enable-ipv6 Enable testing of IPV6 (default: disabled)], @@ -320,6 +327,12 @@ AC_ARG_ENABLE([sniffer], [ ENABLED_SNIFFER=no ] ) +# sniffer does't work in maxstrength mode +if test "$ENABLED_SNIFFER" = "yes" && test "$ENABLED_MAXSTRENGTH" = "yes" +then + AC_MSG_ERROR([cannot enable maxstrength in sniffer mode.]) +fi + ENABLED_SNIFFTEST=no AS_IF([ test "x$ENABLED_SNIFFER" = "xyes" ], [ @@ -335,12 +348,12 @@ AM_CONDITIONAL([BUILD_SNIFFTEST], [ test "x$ENABLED_SNIFFTEST" = "xyes" ]) # AES-GCM AC_ARG_ENABLE([aesgcm], - [ --enable-aesgcm Enable wolfSSL AES-GCM support (default: disabled)], + [AS_HELP_STRING([--enable-aesgcm],[Enable wolfSSL AES-GCM support (default: enabled)])], [ ENABLED_AESGCM=$enableval ], [ ENABLED_AESGCM=yes ] ) -# lean pks does't need gcm +# lean psk does't need gcm if test "$ENABLED_LEANPSK" = "yes" then ENABLED_AESGCM=no @@ -426,12 +439,12 @@ AM_CONDITIONAL([BUILD_AESNI], [test "x$ENABLED_AESNI" = "xyes"]) # POLY1305 AC_ARG_ENABLE([poly1305], - [AS_HELP_STRING([--enable-poly1305],[Enable wolfSSL POLY1305 support (default: disabled)])], + [AS_HELP_STRING([--enable-poly1305],[Enable wolfSSL POLY1305 support (default: enabled)])], [ ENABLED_POLY1305=$enableval ], [ ENABLED_POLY1305=yes ] ) -# lean pks does't need poly1305 +# lean psk does't need poly1305 if test "$ENABLED_LEANPSK" = "yes" then ENABLED_POLY1305=no @@ -522,13 +535,26 @@ fi AM_CONDITIONAL([BUILD_BLAKE2], [test "x$ENABLED_BLAKE2" = "xyes"]) +# set sha512 default +SHA512_DEFAULT=no +if test "$host_cpu" = "x86_64" +then +SHA512_DEFAULT=yes +fi + # SHA512 AC_ARG_ENABLE([sha512], - [ --enable-sha512 Enable wolfSSL SHA-512 support (default: disabled)], + [AS_HELP_STRING([--enable-sha512],[Enable wolfSSL SHA-512 support (default: enabled on x86_64)])], [ ENABLED_SHA512=$enableval ], - [ ENABLED_SHA512=no ] + [ ENABLED_SHA512=$SHA512_DEFAULT ] ) +# lean psk does't need sha512 +if test "$ENABLED_LEANPSK" = "yes" +then + ENABLED_SHA512=no +fi + if test "$ENABLED_SHA512" = "yes" then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA512 -DWOLFSSL_SHA384" @@ -638,13 +664,27 @@ fi AM_CONDITIONAL([BUILD_DSA], [test "x$ENABLED_DSA" = "xyes"]) -# ECC +# set ecc default +ECC_DEFAULT=no + +if test "$host_cpu" = "x86_64" +then +ECC_DEFAULT=yes +fi + +# ECC AC_ARG_ENABLE([ecc], - [ --enable-ecc Enable ECC (default: disabled)], + [AS_HELP_STRING([--enable-ecc],[Enable ECC (default: enabled on x86_64)])], [ ENABLED_ECC=$enableval ], - [ ENABLED_ECC=no ] + [ ENABLED_ECC=$ECC_DEFAULT ] ) +# lean psk does't need ecc +if test "$ENABLED_LEANPSK" = "yes" +then + ENABLED_ECC=no +fi + if test "$ENABLED_ECC" = "yes" then AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DECC_SHAMIR" @@ -655,7 +695,7 @@ AM_CONDITIONAL([BUILD_ECC], [test "x$ENABLED_ECC" = "xyes"]) if test "$ENABLED_ECC" = "yes" && test "$ENABLED_SMALL" = "yes" then - AC_MSG_ERROR([cannot enable ecc and small, ecc requires TLS which small turns off.]) + AC_MSG_ERROR([cannot enable ecc and small, ecc requires TLS which small turns off.]) fi @@ -857,7 +897,7 @@ AM_CONDITIONAL([BUILD_RSA], [test "x$ENABLED_RSA" = "xyes"]) # DH AC_ARG_ENABLE([dh], - [ --enable-dh Enable DH (default: disabled)], + [AS_HELP_STRING([--enable-dh],[Enable DH (default: enabled)])], [ ENABLED_DH=$enableval ], [ ENABLED_DH=yes ] ) @@ -1027,7 +1067,7 @@ AM_CONDITIONAL([BUILD_DES3], [test "x$ENABLED_DES3" = "xyes"]) # ARC4 AC_ARG_ENABLE([arc4], - [ --enable-arc4 Enable ARC4 (default: enabled)], + [ --enable-arc4 Enable ARC4 (default: disabled)], [ ENABLED_ARC4=$enableval ], [ ENABLED_ARC4=no ] ) @@ -1156,12 +1196,12 @@ AM_CONDITIONAL([BUILD_RABBIT], [test "x$ENABLED_RABBIT" = "xyes"]) # CHACHA AC_ARG_ENABLE([chacha], - [ --enable-chacha Enable CHACHA (default: disabled)], + [ --enable-chacha Enable CHACHA (default: enabled)], [ ENABLED_CHACHA=$enableval ], [ ENABLED_CHACHA=yes ] ) -# lean pks does't need chacha +# lean psk does't need chacha if test "$ENABLED_LEANPSK" = "yes" then ENABLED_CHACHA=no @@ -1677,6 +1717,11 @@ then AM_CFLAGS="$AM_CFLAGS -DUSE_FAST_MATH" ENABLED_SLOWMATH="no" fi + if test "$host_cpu" = "x86_64" + then + # Have settings.h set FP_MAX_BITS higher if user didn't set directly + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_X86_64_BUILD" + fi fi @@ -1817,6 +1862,21 @@ fi AM_CONDITIONAL([BUILD_MCAPI], [test "x$ENABLED_MCAPI" = "xyes"]) +# Check for build-type conflicts +AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \ + test "x$ENABLED_LEANPSK" = "xyes"], + [AC_MSG_ERROR([Cannot use Max Strength and Lean PSK at the same time.])]) + + +# Update CFLAGS based on options +AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes"], + [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MAX_STRENGTH"]) + +AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \ + test "x$ENABLED_OLD_TLS" = "xyes"], + [AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS" + ENABLED_OLD_TLS=no]) + # OPTIMIZE FLAGS if test "$GCC" = "yes" @@ -1972,6 +2032,7 @@ echo " Features " echo " * Single threaded: $ENABLED_SINGLETHREADED" echo " * Filesystem: $ENABLED_FILESYSTEM" echo " * OpenSSL Extra API: $ENABLED_OPENSSLEXTRA" +echo " * Max Strength Build: $ENABLED_MAXSTRENGTH" echo " * fastmath: $ENABLED_FASTMATH" echo " * sniffer: $ENABLED_SNIFFER" echo " * snifftest: $ENABLED_SNIFFTEST" diff --git a/examples/client/client.c b/examples/client/client.c index 7c14d2980..d7a5e82e9 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -566,7 +566,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) wolfSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); #endif -#if defined(WOLFSSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC) +#if defined(WOLFSSL_SNIFFER) if (cipherList == NULL) { /* don't use EDH, can't sniff tmp keys */ if (wolfSSL_CTX_set_cipher_list(ctx, "AES256-SHA256") != SSL_SUCCESS) { @@ -607,10 +607,15 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) } if (!usePsk && !useAnon) { - if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS) - err_sys("can't load ca file, Please run from wolfSSL home dir"); + if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert,0) != SSL_SUCCESS) + err_sys("can't load ca file, Please run from wolfSSL home dir"); +#ifdef HAVE_ECC + /* load ecc verify too, echoserver uses it by default w/ ecc */ + if (wolfSSL_CTX_load_verify_locations(ctx, eccCert, 0) != SSL_SUCCESS) + err_sys("can't load ecc ca file, Please run from wolfSSL home dir"); +#endif /* HAVE_ECC */ } -#endif +#endif /* !NO_FILESYSTEM && !NO_CERTS */ #if !defined(NO_CERTS) if (!usePsk && !useAnon && doPeerCheck == 0) wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); diff --git a/examples/echoclient/echoclient.c b/examples/echoclient/echoclient.c index 5751622d5..ff754b7e8 100644 --- a/examples/echoclient/echoclient.c +++ b/examples/echoclient/echoclient.c @@ -130,7 +130,7 @@ void echoclient_test(void* args) load_buffer(ctx, caCert, CYASSL_CA); #endif -#if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC) +#if defined(CYASSL_SNIFFER) /* don't use EDH, can't sniff tmp keys */ SSL_CTX_set_cipher_list(ctx, "AES256-SHA"); #endif diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index 680c11d5e..49b3933d2 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -160,7 +160,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) != SSL_SUCCESS) err_sys("can't load ntru key file, " "Please run from wolfSSL home dir"); - #elif defined(HAVE_ECC) + #elif defined(HAVE_ECC) && !defined(CYASSL_SNIFFER) /* ecc */ if (CyaSSL_CTX_use_certificate_file(ctx, eccCert, SSL_FILETYPE_PEM) != SSL_SUCCESS) @@ -193,7 +193,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) } #endif -#if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC) +#if defined(CYASSL_SNIFFER) /* don't use EDH, can't sniff tmp keys */ CyaSSL_CTX_set_cipher_list(ctx, "AES256-SHA"); #endif diff --git a/examples/server/server.c b/examples/server/server.c index 9c74b26d9..df248dd6e 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -485,7 +485,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) } #endif -#if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC) +#if defined(CYASSL_SNIFFER) /* don't use EDH, can't sniff tmp keys */ if (cipherList == NULL) { if (SSL_CTX_set_cipher_list(ctx, "AES256-SHA256") != SSL_SUCCESS) diff --git a/rpm/spec.in b/rpm/spec.in index cda6e79b2..a68ab9c39 100644 --- a/rpm/spec.in +++ b/rpm/spec.in @@ -69,7 +69,7 @@ mkdir -p $RPM_BUILD_ROOT/ %{_libdir}/libwolfssl.la %{_libdir}/libwolfssl.so %{_libdir}/libwolfssl.so.0 -%{_libdir}/libwolfssl.so.0.0.0 +%{_libdir}/libwolfssl.so.0.0.1 %files devel %defattr(-,root,root,-) @@ -174,14 +174,19 @@ mkdir -p $RPM_BUILD_ROOT/ %{_includedir}/wolfssl/wolfcrypt/blake2.h %{_includedir}/wolfssl/wolfcrypt/camellia.h %{_includedir}/wolfssl/wolfcrypt/chacha.h +%{_includedir}/wolfssl/wolfcrypt/chacha20_poly1305.h %{_includedir}/wolfssl/wolfcrypt/coding.h %{_includedir}/wolfssl/wolfcrypt/compress.h +%{_includedir}/wolfssl/wolfcrypt/curve25519.h %{_includedir}/wolfssl/wolfcrypt/des3.h %{_includedir}/wolfssl/wolfcrypt/dh.h %{_includedir}/wolfssl/wolfcrypt/dsa.h %{_includedir}/wolfssl/wolfcrypt/ecc.h +%{_includedir}/wolfssl/wolfcrypt/ed25519.h %{_includedir}/wolfssl/wolfcrypt/error-crypt.h +%{_includedir}/wolfssl/wolfcrypt/fe_operations.h %{_includedir}/wolfssl/wolfcrypt/fips_test.h +%{_includedir}/wolfssl/wolfcrypt/ge_operations.h %{_includedir}/wolfssl/wolfcrypt/hc128.h %{_includedir}/wolfssl/wolfcrypt/hmac.h %{_includedir}/wolfssl/wolfcrypt/integer.h @@ -251,6 +256,8 @@ mkdir -p $RPM_BUILD_ROOT/ %{_libdir}/pkgconfig/wolfssl.pc %changelog +* Tue Mar 31 2015 John Safranek +- Added recent new wolfcrypt headers for curve25519 * Fri Jan 09 2015 John Safranek - Update for cyassl->wolfssl name change * Fri Oct 20 2012 Brian Aker diff --git a/src/internal.c b/src/internal.c index 1b1afe8b4..4f644fd2f 100644 --- a/src/internal.c +++ b/src/internal.c @@ -588,6 +588,10 @@ static void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, int idx = 0; if (haveECDSAsig) { + #ifdef WOLFSSL_SHA512 + suites->hashSigAlgo[idx++] = sha512_mac; + suites->hashSigAlgo[idx++] = ecc_dsa_sa_algo; + #endif #ifdef WOLFSSL_SHA384 suites->hashSigAlgo[idx++] = sha384_mac; suites->hashSigAlgo[idx++] = ecc_dsa_sa_algo; @@ -603,6 +607,10 @@ static void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, } if (haveRSAsig) { + #ifdef WOLFSSL_SHA512 + suites->hashSigAlgo[idx++] = sha512_mac; + suites->hashSigAlgo[idx++] = rsa_sa_algo; + #endif #ifdef WOLFSSL_SHA384 suites->hashSigAlgo[idx++] = sha384_mac; suites->hashSigAlgo[idx++] = rsa_sa_algo; @@ -1622,6 +1630,12 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx) return ret; } #endif +#ifdef WOLFSSL_SHA512 + ret = wc_InitSha512(&ssl->hsHashes->hashSha512); + if (ret != 0) { + return ret; + } +#endif /* increment CTX reference count */ if (LockMutex(&ctx->countMutex) != 0) { @@ -2349,7 +2363,7 @@ ProtocolVersion MakeDTLSv1_2(void) word32 LowResTimer(void) { - return (word32) MYTIME_gettime(); + return (word32) Seconds_get(); } #elif defined(USER_TICKS) @@ -2362,6 +2376,21 @@ ProtocolVersion MakeDTLSv1_2(void) */ } #endif + +#elif defined(TIME_OVERRIDES) + + /* use same asn time overrides unless user wants tick override above */ + + #ifndef HAVE_TIME_T_TYPE + typedef long time_t; + #endif + extern time_t XTIME(time_t * timer); + + word32 LowResTimer(void) + { + return (word32) XTIME(0); + } + #else /* !USE_WINDOWS_API && !HAVE_RTP_SYS && !MICRIUM && !USER_TICKS */ #include @@ -2412,6 +2441,11 @@ static int HashOutput(WOLFSSL* ssl, const byte* output, int sz, int ivSz) ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, adj, sz); if (ret != 0) return ret; +#endif +#ifdef WOLFSSL_SHA512 + ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, adj, sz); + if (ret != 0) + return ret; #endif } @@ -2453,6 +2487,11 @@ static int HashInput(WOLFSSL* ssl, const byte* input, int sz) ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, adj, sz); if (ret != 0) return ret; +#endif +#ifdef WOLFSSL_SHA512 + ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, adj, sz); + if (ret != 0) + return ret; #endif } @@ -3003,6 +3042,7 @@ static void BuildSHA(WOLFSSL* ssl, Hashes* hashes, const byte* sender) #endif +/* Finished doesn't support SHA512, not SHA512 cipher suites yet */ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) { int ret = 0; @@ -3802,9 +3842,9 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) x509->derCert.length = dCert->maxIdx; } - x509->altNames = dCert->altNames; - dCert->altNames = NULL; /* takes ownership */ - x509->altNamesNext = x509->altNames; /* index hint */ + x509->altNames = dCert->altNames; + dCert->weOwnAltNames = 0; + x509->altNamesNext = x509->altNames; /* index hint */ x509->isCa = dCert->isCA; #ifdef OPENSSL_EXTRA @@ -6866,6 +6906,9 @@ static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes) #ifdef WOLFSSL_SHA384 Sha384 sha384 = ssl->hsHashes->hashSha384; #endif + #ifdef WOLFSSL_SHA512 + Sha512 sha512 = ssl->hsHashes->hashSha512; + #endif if (ssl->options.tls) { #if ! defined( NO_OLD_TLS ) @@ -6885,6 +6928,11 @@ static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes) if (ret != 0) return ret; #endif + #ifdef WOLFSSL_SHA512 + ret = wc_Sha512Final(&ssl->hsHashes->hashSha512,hashes->sha512); + if (ret != 0) + return ret; + #endif } } #if ! defined( NO_OLD_TLS ) @@ -6904,6 +6952,9 @@ static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes) #ifdef WOLFSSL_SHA384 ssl->hsHashes->hashSha384 = sha384; #endif + #ifdef WOLFSSL_SHA512 + ssl->hsHashes->hashSha512 = sha512; + #endif } return 0; @@ -8866,6 +8917,12 @@ static void PickHashSigAlgo(WOLFSSL* ssl, break; } #endif + #ifdef WOLFSSL_SHA512 + else if (hashSigAlgo[i] == sha512_mac) { + ssl->suites->hashAlgo = sha512_mac; + break; + } + #endif } } } @@ -9892,6 +9949,15 @@ static void PickHashSigAlgo(WOLFSSL* ssl, byte hash384[SHA384_DIGEST_SIZE]; #endif #endif +#ifdef WOLFSSL_SHA512 +#ifdef WOLFSSL_SMALL_STACK + Sha512* sha512 = NULL; + byte* hash512 = NULL; +#else + Sha512 sha512[1]; + byte hash512[SHA512_DIGEST_SIZE]; +#endif +#endif #ifdef WOLFSSL_SMALL_STACK byte* hash = NULL; byte* messageVerify = NULL; @@ -10011,6 +10077,24 @@ static void PickHashSigAlgo(WOLFSSL* ssl, goto done; #endif +#ifdef WOLFSSL_SHA512 + #ifdef WOLFSSL_SMALL_STACK + sha512 = (Sha512*)XMALLOC(sizeof(Sha512), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + hash512 = (byte*)XMALLOC(SHA512_DIGEST_SIZE, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (sha512 == NULL || hash512 == NULL) + ERROR_OUT(MEMORY_E, done); + #endif + if (!(ret = wc_InitSha512(sha512)) + && !(ret = wc_Sha512Update(sha512, ssl->arrays->clientRandom, RAN_LEN)) + && !(ret = wc_Sha512Update(sha512, ssl->arrays->serverRandom, RAN_LEN)) + && !(ret = wc_Sha512Update(sha512, messageVerify, verifySz))) + ret = wc_Sha512Final(sha512, hash512); + if (ret != 0) + goto done; +#endif + #ifndef NO_RSA /* rsa */ if (sigAlgo == rsa_sa_algo) @@ -10079,6 +10163,13 @@ static void PickHashSigAlgo(WOLFSSL* ssl, digestSz = SHA384_DIGEST_SIZE; #endif } + else if (hashAlgo == sha512_mac) { + #ifdef WOLFSSL_SHA512 + digest = hash512; + typeH = SHA512h; + digestSz = SHA512_DIGEST_SIZE; + #endif + } #ifdef WOLFSSL_SMALL_STACK encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL, @@ -10144,6 +10235,12 @@ static void PickHashSigAlgo(WOLFSSL* ssl, digestSz = SHA384_DIGEST_SIZE; #endif } + else if (hashAlgo == sha512_mac) { + #ifdef WOLFSSL_SHA512 + digest = hash512; + digestSz = SHA512_DIGEST_SIZE; + #endif + } } if (doUserEcc) { #ifdef HAVE_PK_CALLBACKS @@ -10183,6 +10280,10 @@ static void PickHashSigAlgo(WOLFSSL* ssl, #ifdef WOLFSSL_SHA384 XFREE(sha384, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(hash384, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + #ifdef WOLFSSL_SHA512 + XFREE(sha512, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(hash512, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif XFREE(hash, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(messageVerify, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -10872,6 +10973,12 @@ static void PickHashSigAlgo(WOLFSSL* ssl, digestSz = SHA384_DIGEST_SIZE; #endif } + else if (ssl->suites->hashAlgo == sha512_mac) { + #ifdef WOLFSSL_SHA512 + digest = ssl->hsHashes->certHashes.sha512; + digestSz = SHA512_DIGEST_SIZE; + #endif + } } if (doUserEcc) { @@ -10940,6 +11047,14 @@ static void PickHashSigAlgo(WOLFSSL* ssl, didSet = 1; #endif } + else if (ssl->suites->hashAlgo == sha512_mac) { + #ifdef WOLFSSL_SHA512 + digest = ssl->hsHashes->certHashes.sha512; + typeH = SHA512h; + digestSz = SHA512_DIGEST_SIZE; + didSet = 1; + #endif + } if (didSet == 0) { /* defaults */ @@ -11670,6 +11785,15 @@ int DoSessionTicket(WOLFSSL* ssl, byte hash384[SHA384_DIGEST_SIZE]; #endif #endif + #ifdef WOLFSSL_SHA512 + #ifdef WOLFSSL_SMALL_STACK + Sha512* sha512 = NULL; + byte* hash512 = NULL; + #else + Sha512 sha512[1]; + byte hash512[SHA512_DIGEST_SIZE]; + #endif + #endif #ifdef WOLFSSL_SMALL_STACK hash = (byte*)XMALLOC(FINISHED_SZ, NULL, @@ -11750,6 +11874,28 @@ int DoSessionTicket(WOLFSSL* ssl, goto done_a2; #endif + #ifdef WOLFSSL_SHA512 + #ifdef WOLFSSL_SMALL_STACK + sha512 = (Sha512*)XMALLOC(sizeof(Sha512), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + hash512 = (byte*)XMALLOC(SHA512_DIGEST_SIZE, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (sha512 == NULL || hash512 == NULL) + ERROR_OUT(MEMORY_E, done_a2); + #endif + + if (!(ret = wc_InitSha512(sha512)) + && !(ret = wc_Sha512Update(sha512, ssl->arrays->clientRandom, + RAN_LEN)) + && !(ret = wc_Sha512Update(sha512, ssl->arrays->serverRandom, + RAN_LEN)) + && !(ret = wc_Sha512Update(sha512, output + preSigIdx, preSigSz))) + ret = wc_Sha512Final(sha512, hash512); + + if (ret != 0) + goto done_a2; + #endif + #ifndef NO_RSA if (ssl->suites->sigAlgo == rsa_sa_algo) { byte* signBuffer = hash; @@ -11792,6 +11938,13 @@ int DoSessionTicket(WOLFSSL* ssl, digestSz = SHA384_DIGEST_SIZE; #endif } + else if (ssl->suites->hashAlgo == sha512_mac) { + #ifdef WOLFSSL_SHA512 + digest = hash512; + typeH = SHA512h; + digestSz = SHA512_DIGEST_SIZE; + #endif + } signSz = wc_EncodeSignature(encodedSig, digest, digestSz, typeH); @@ -11862,6 +12015,12 @@ int DoSessionTicket(WOLFSSL* ssl, digestSz = SHA384_DIGEST_SIZE; #endif } + else if (ssl->suites->hashAlgo == sha512_mac) { + #ifdef WOLFSSL_SHA512 + digest = hash512; + digestSz = SHA512_DIGEST_SIZE; + #endif + } } if (doUserEcc) { @@ -11908,6 +12067,10 @@ int DoSessionTicket(WOLFSSL* ssl, XFREE(sha384, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(hash384, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif + #ifdef WOLFSSL_SHA512 + XFREE(sha512, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(hash512, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif #endif if (ret < 0) @@ -12111,6 +12274,15 @@ int DoSessionTicket(WOLFSSL* ssl, byte hash384[SHA384_DIGEST_SIZE]; #endif #endif + #ifdef WOLFSSL_SHA512 + #ifdef WOLFSSL_SMALL_STACK + Sha512* sha512 = NULL; + byte* hash512 = NULL; + #else + Sha512 sha512[1]; + byte hash512[SHA512_DIGEST_SIZE]; + #endif + #endif /* Add hash/signature algo ID */ if (IsAtLeastTLSv1_2(ssl)) { @@ -12205,6 +12377,28 @@ int DoSessionTicket(WOLFSSL* ssl, goto done_b; #endif + #ifdef WOLFSSL_SHA512 + #ifdef WOLFSSL_SMALL_STACK + sha512 = (Sha512*)XMALLOC(sizeof(Sha512), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + hash512 = (byte*)XMALLOC(SHA512_DIGEST_SIZE, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (sha512 == NULL || hash512 == NULL) + ERROR_OUT(MEMORY_E, done_b); + #endif + + if (!(ret = wc_InitSha512(sha512)) + && !(ret = wc_Sha512Update(sha512, ssl->arrays->clientRandom, + RAN_LEN)) + && !(ret = wc_Sha512Update(sha512, ssl->arrays->serverRandom, + RAN_LEN)) + && !(ret = wc_Sha512Update(sha512, output + preSigIdx, preSigSz))) + ret = wc_Sha512Final(sha512, hash512); + + if (ret != 0) + goto done_b; + #endif + #ifndef NO_RSA if (ssl->suites->sigAlgo == rsa_sa_algo) { byte* signBuffer = hash; @@ -12247,6 +12441,13 @@ int DoSessionTicket(WOLFSSL* ssl, digestSz = SHA384_DIGEST_SIZE; #endif } + else if (ssl->suites->hashAlgo == sha512_mac) { + #ifdef WOLFSSL_SHA512 + digest = hash512; + typeH = SHA512h; + digestSz = SHA512_DIGEST_SIZE; + #endif + } signSz = wc_EncodeSignature(encodedSig, digest, digestSz, typeH); @@ -12289,6 +12490,10 @@ int DoSessionTicket(WOLFSSL* ssl, XFREE(sha384, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(hash384, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif + #ifdef WOLFSSL_SHA512 + XFREE(sha512, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(hash512, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif #endif if (ret < 0) return ret; @@ -13030,6 +13235,13 @@ int DoSessionTicket(WOLFSSL* ssl, digestSz = SHA384_DIGEST_SIZE; #endif } + else if (hashAlgo == sha512_mac) { + #ifdef WOLFSSL_SHA512 + digest = ssl->hsHashes->certHashes.sha512; + typeH = SHA512h; + digestSz = SHA512_DIGEST_SIZE; + #endif + } sigSz = wc_EncodeSignature(encodedSig, digest, digestSz, typeH); @@ -13082,6 +13294,12 @@ int DoSessionTicket(WOLFSSL* ssl, digestSz = SHA384_DIGEST_SIZE; #endif } + else if (hashAlgo == sha512_mac) { + #ifdef WOLFSSL_SHA512 + digest = ssl->hsHashes->certHashes.sha512; + digestSz = SHA512_DIGEST_SIZE; + #endif + } } if (doUserEcc) { diff --git a/src/keys.c b/src/keys.c index d83619681..b06debb28 100644 --- a/src/keys.c +++ b/src/keys.c @@ -2407,11 +2407,33 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side) /* Initialize the AES-GCM/CCM explicit IV to a zero. */ XMEMCPY(ssl->keys.aead_exp_IV, keys->aead_exp_IV, AEAD_EXP_IV_SZ); + + /* Initialize encrypt implicit IV by encrypt side */ + if (ssl->options.side == WOLFSSL_CLIENT_END) { + XMEMCPY(ssl->keys.aead_enc_imp_IV, + keys->client_write_IV, AEAD_IMP_IV_SZ); + } else { + XMEMCPY(ssl->keys.aead_enc_imp_IV, + keys->server_write_IV, AEAD_IMP_IV_SZ); + } } #endif } - if (wc_decrypt) + if (wc_decrypt) { ssl->keys.peer_sequence_number = keys->peer_sequence_number; + #ifdef HAVE_AEAD + if (ssl->specs.cipher_type == aead) { + /* Initialize decrypt implicit IV by decrypt side */ + if (ssl->options.side == WOLFSSL_SERVER_END) { + XMEMCPY(ssl->keys.aead_dec_imp_IV, + keys->client_write_IV, AEAD_IMP_IV_SZ); + } else { + XMEMCPY(ssl->keys.aead_dec_imp_IV, + keys->server_write_IV, AEAD_IMP_IV_SZ); + } + } + #endif + } ssl->secure_renegotiation->cache_status++; } #endif /* HAVE_SECURE_RENEGOTIATION */ diff --git a/src/sniffer.c b/src/sniffer.c index 0e81a8674..58dfa4b0b 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -1075,8 +1075,12 @@ static int SetNamedPrivateKey(const char* name, const char* address, int port, } XMEMSET(namedKey, 0, sizeof(NamedKey)); - namedKey->nameSz = (word32)strnlen(name, sizeof(namedKey->name)); - strncpy(namedKey->name, name, sizeof(namedKey->name)); + namedKey->nameSz = (word32)XSTRLEN(name); + XSTRNCPY(namedKey->name, name, sizeof(namedKey->name)); + if (namedKey->nameSz >= sizeof(namedKey->name)) { + namedKey->nameSz = sizeof(namedKey->name) - 1; + namedKey->name[namedKey->nameSz] = '\0'; + } ret = LoadKeyFile(&namedKey->key, &namedKey->keySz, keyFile, type, password); @@ -1578,6 +1582,8 @@ static int ProcessClientHello(const byte* input, int* sslBytes, if (ret == SSL_SUCCESS) { NamedKey* namedKey; + if (nameSz >= sizeof(name)) + nameSz = sizeof(name) - 1; name[nameSz] = 0; LockMutex(&session->context->namedKeysMutex); namedKey = session->context->namedKeys; diff --git a/src/ssl.c b/src/ssl.c index 571445365..d907f443a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -475,6 +475,39 @@ int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz, WOLFSSL_LEAVE("wolfSSL_SetTmpDH", 0); return SSL_SUCCESS; } + +/* server ctx Diffie-Hellman parameters, SSL_SUCCESS on ok */ +int wolfSSL_CTX_SetTmpDH(WOLFSSL_CTX* ctx, const unsigned char* p, int pSz, + const unsigned char* g, int gSz) +{ + WOLFSSL_ENTER("wolfSSL_CTX_SetTmpDH"); + if (ctx == NULL || p == NULL || g == NULL) return BAD_FUNC_ARG; + + XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH); + XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_DH); + + ctx->serverDH_P.buffer = (byte*)XMALLOC(pSz, ctx->heap,DYNAMIC_TYPE_DH); + if (ctx->serverDH_P.buffer == NULL) + return MEMORY_E; + + ctx->serverDH_G.buffer = (byte*)XMALLOC(gSz, ctx->heap,DYNAMIC_TYPE_DH); + if (ctx->serverDH_G.buffer == NULL) { + XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH); + return MEMORY_E; + } + + ctx->serverDH_P.length = pSz; + ctx->serverDH_G.length = gSz; + + XMEMCPY(ctx->serverDH_P.buffer, p, pSz); + XMEMCPY(ctx->serverDH_G.buffer, g, gSz); + + ctx->haveDH = 1; + + WOLFSSL_LEAVE("wolfSSL_CTX_SetTmpDH", 0); + return SSL_SUCCESS; +} + #endif /* !NO_DH */ @@ -816,6 +849,11 @@ int wolfSSL_Rehandshake(WOLFSSL* ssl) if (ret !=0) return ret; #endif +#ifdef WOLFSSL_SHA512 + ret = wc_InitSha512(&ssl->hsHashes->hashSha512); + if (ret !=0) + return ret; +#endif ret = wolfSSL_negotiate(ssl); return ret; @@ -3822,37 +3860,6 @@ int wolfSSL_CTX_SetTmpDH_file(WOLFSSL_CTX* ctx, const char* fname, int format) } - /* server ctx Diffie-Hellman parameters, SSL_SUCCESS on ok */ - int wolfSSL_CTX_SetTmpDH(WOLFSSL_CTX* ctx, const unsigned char* p, int pSz, - const unsigned char* g, int gSz) - { - WOLFSSL_ENTER("wolfSSL_CTX_SetTmpDH"); - if (ctx == NULL || p == NULL || g == NULL) return BAD_FUNC_ARG; - - XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH); - XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_DH); - - ctx->serverDH_P.buffer = (byte*)XMALLOC(pSz, ctx->heap,DYNAMIC_TYPE_DH); - if (ctx->serverDH_P.buffer == NULL) - return MEMORY_E; - - ctx->serverDH_G.buffer = (byte*)XMALLOC(gSz, ctx->heap,DYNAMIC_TYPE_DH); - if (ctx->serverDH_G.buffer == NULL) { - XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH); - return MEMORY_E; - } - - ctx->serverDH_P.length = pSz; - ctx->serverDH_G.length = gSz; - - XMEMCPY(ctx->serverDH_P.buffer, p, pSz); - XMEMCPY(ctx->serverDH_G.buffer, g, gSz); - - ctx->haveDH = 1; - - WOLFSSL_LEAVE("wolfSSL_CTX_SetTmpDH", 0); - return SSL_SUCCESS; - } #endif /* NO_DH */ @@ -5165,6 +5172,13 @@ int wolfSSL_dtls_got_timeout(WOLFSSL* ssl) return SSL_FATAL_ERROR; } #endif + #ifdef WOLFSSL_SHA512 + if ( (ssl->error = wc_InitSha512( + &ssl->hsHashes->hashSha512)) != 0) { + WOLFSSL_ERROR(ssl->error); + return SSL_FATAL_ERROR; + } + #endif } if ( (ssl->error = SendClientHello(ssl)) != 0) { WOLFSSL_ERROR(ssl->error); @@ -5444,6 +5458,13 @@ int wolfSSL_dtls_got_timeout(WOLFSSL* ssl) return SSL_FATAL_ERROR; } #endif + #ifdef WOLFSSL_SHA512 + if ( (ssl->error = wc_InitSha512( + &ssl->hsHashes->hashSha512)) != 0) { + WOLFSSL_ERROR(ssl->error); + return SSL_FATAL_ERROR; + } + #endif } while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) @@ -8222,13 +8243,13 @@ int wolfSSL_set_compression(WOLFSSL* ssl) long wolfSSL_SSL_SESSION_set_timeout(WOLFSSL_SESSION* ses, long t) { - word32 time; + word32 tmptime; if (!ses || t < 0) return BAD_FUNC_ARG; - time = t & 0xFFFFFFFF; + tmptime = t & 0xFFFFFFFF; - ses->timeout = time; + ses->timeout = tmptime; return SSL_SUCCESS; } diff --git a/support/wolfssl.pc b/support/wolfssl.pc index 7b18d95e5..1265e7ce0 100644 --- a/support/wolfssl.pc +++ b/support/wolfssl.pc @@ -5,6 +5,6 @@ includedir=${prefix}/include Name: wolfssl Description: wolfssl C library. -Version: 3.4.6 +Version: 3.4.7 Libs: -L${libdir} -lwolfssl Cflags: -I${includedir} diff --git a/tirtos/include.am b/tirtos/include.am index 46bdd4323..03f87e4bf 100644 --- a/tirtos/include.am +++ b/tirtos/include.am @@ -9,14 +9,14 @@ EXTRA_DIST += \ tirtos/packages/ti/net/wolfssl/package.bld \ tirtos/packages/ti/net/wolfssl/package.xdc \ tirtos/packages/ti/net/wolfssl/package.xs \ - tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/package.bld \ - tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/package.xdc \ - tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/test.cfg \ - tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/TM4C1294NC.icf \ - tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/main.c \ - tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/package.bld \ - tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/package.xdc \ - tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/benchmark.cfg \ - tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/TM4C1294NC.icf \ - tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/main.c + tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/package.bld \ + tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/package.xdc \ + tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/test.cfg \ + tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/TM4C1294NC.icf \ + tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/main.c \ + tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/package.bld \ + tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/package.xdc \ + tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/benchmark.cfg \ + tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/TM4C1294NC.icf \ + tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/main.c diff --git a/tirtos/packages/ti/net/wolfssl/package.bld b/tirtos/packages/ti/net/wolfssl/package.bld index 95d0811ac..002cb08dc 100644 --- a/tirtos/packages/ti/net/wolfssl/package.bld +++ b/tirtos/packages/ti/net/wolfssl/package.bld @@ -50,7 +50,7 @@ var wolfSSLObjList = [ for each (var targ in Build.targets) { var libOptions = {incs: wolfsslPathInclude}; - var lib = Pkg.addLibrary("lib/" + Pkg.name, targ, libOptions); + var lib = Pkg.addLibrary("lib/wolfssl", targ, libOptions); lib.addObjects(wolfSSLObjList); } diff --git a/tirtos/packages/ti/net/wolfssl/package.xdc b/tirtos/packages/ti/net/wolfssl/package.xdc index f0c4b9f83..5fe467d45 100644 --- a/tirtos/packages/ti/net/wolfssl/package.xdc +++ b/tirtos/packages/ti/net/wolfssl/package.xdc @@ -1,7 +1,6 @@ /*! * ======== ti.net.wolfssl ======== * wolfSSL library for TI-RTOS - * */ -package ti.net.wolfssl { +package ti.net.wolfssl [1, 0, 0] { } diff --git a/tirtos/packages/ti/net/wolfssl/package.xs b/tirtos/packages/ti/net/wolfssl/package.xs index 9ecf38e5b..7f5215d36 100644 --- a/tirtos/packages/ti/net/wolfssl/package.xs +++ b/tirtos/packages/ti/net/wolfssl/package.xs @@ -8,5 +8,5 @@ */ function getLibs(prog) { - return ("lib/" + this.$name + ".a" + prog.build.target.suffix); + return ("lib/wolfssl.a" + prog.build.target.suffix); } diff --git a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/TM4C1294NC.icf b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/TM4C1294NC.icf similarity index 100% rename from tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/TM4C1294NC.icf rename to tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/TM4C1294NC.icf diff --git a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/benchmark.cfg b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/benchmark.cfg similarity index 100% rename from tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/benchmark.cfg rename to tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/benchmark.cfg diff --git a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/main.c b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/main.c similarity index 97% rename from tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/main.c rename to tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/main.c index 15ee1fb98..eddd432f7 100644 --- a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/main.c +++ b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/main.c @@ -1,6 +1,6 @@ /* * ======== main.c ======== - * Entry point for Benchmark application + * Entry point for Benchmark application */ /* BIOS Header files */ #include @@ -27,7 +27,7 @@ void runBenchmarks(UArg arg0, UArg arg1) { void *args = NULL; msTimer_init(); - + System_printf("Running benchmarks...\n"); System_flush(); benchmark_test(args); diff --git a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/package.bld b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/package.bld similarity index 93% rename from tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/package.bld rename to tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/package.bld index cff396855..453fee738 100644 --- a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/package.bld +++ b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/package.bld @@ -10,7 +10,7 @@ if ((typeof(TivaWareDir) == undefined) || (TivaWareDir == "")) { var Build = xdc.useModule('xdc.bld.BuildEnvironment'); var Pkg = xdc.useModule('xdc.bld.PackageContents'); -/* make command to search for the srcs */ +/* make command to search for the srcs */ Pkg.makePrologue = "vpath %.c $(subst ;, ,$(XPKGPATH))"; var srcs = [ @@ -37,16 +37,16 @@ for each (var targ in Build.targets) { targ.$orig.lnkOpts.suffix = suffix.replace(/PrintfSmall/, "PrintfFull"); } else if (targ.$name.match(/^gnu/)) { - targ.$orig.lnkOpts.suffix += " -L" + TivaWareDir + "/driverlib/gcc " + targ.$orig.lnkOpts.suffix += " -L" + TivaWareDir + "/driverlib/gcc " + " -Wl,--start-group -ldriver -Wl,--end-group "; targ.$orig.bspLib = "rdimon"; } - - var exeOptions = { incs: wolfsslPathInclude + + var exeOptions = { incs: wolfsslPathInclude + " -DNO_MAIN_DRIVER -D_INCLUDE_NIMU_CODE -DBENCH_EMBEDDED " + " -DTIVAWARE -DPART_TM4C1294NCPDT", lopts: lnkOpts - }; + }; var exe = Pkg.addExecutable("benchmark", targ, platform, exeOptions); exe.addObjects(srcs); diff --git a/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/package.xdc b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/package.xdc new file mode 100644 index 000000000..6a93cc333 --- /dev/null +++ b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/benchmark/package.xdc @@ -0,0 +1,6 @@ +/* + * ======== ti.net.wolfssl.tests.EK_TM4C1294XL.wolfcrypt.benchmark ======== + * wc_ Benchmark Application + */ +package ti.net.wolfssl.tests.EK_TM4C1294XL.wolfcrypt.benchmark [1, 0, 0] { +} diff --git a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/TM4C1294NC.icf b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/TM4C1294NC.icf similarity index 100% rename from tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/TM4C1294NC.icf rename to tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/TM4C1294NC.icf diff --git a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/main.c b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/main.c similarity index 95% rename from tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/main.c rename to tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/main.c index 41378767a..88023e4e1 100644 --- a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/main.c +++ b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/main.c @@ -1,6 +1,6 @@ /* * ======== main.c ======== - * Entry point to wolfcrypt Test Application + * Entry point to wolfcrypt Test Application */ /* XDCtools Header files */ @@ -53,4 +53,3 @@ int main(int argc, char** argv) BIOS_start(); } - diff --git a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/package.bld b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/package.bld similarity index 92% rename from tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/package.bld rename to tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/package.bld index a76add170..adfca1c9c 100644 --- a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/package.bld +++ b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/package.bld @@ -10,7 +10,7 @@ if ((typeof(TivaWareDir) == undefined) || (TivaWareDir == "")) { var Build = xdc.useModule('xdc.bld.BuildEnvironment'); var Pkg = xdc.useModule('xdc.bld.PackageContents'); -/* make command to search for the srcs */ +/* make command to search for the srcs */ Pkg.makePrologue = "vpath %.c $(subst ;, ,$(XPKGPATH))"; var srcs = [ @@ -33,16 +33,16 @@ for each (var targ in Build.targets) { platform = "ti.platforms.tiva:TM4C1294NCPDT"; } else if (targ.$name.match(/^gnu/)) { - targ.$orig.lnkOpts.suffix += " -L" + TivaWareDir + "/driverlib/gcc " + targ.$orig.lnkOpts.suffix += " -L" + TivaWareDir + "/driverlib/gcc " + " -Wl,--start-group -ldriver -Wl,--end-group "; targ.$orig.bspLib = "rdimon"; } - - var exeOptions = { incs: wolfsslPathInclude + + var exeOptions = { incs: wolfsslPathInclude + " -DNO_MAIN_DRIVER -D_INCLUDE_NIMU_CODE -DBENCH_EMBEDDED " + " -DTIVAWARE -DPART_TM4C1294NCPDT", lopts: lnkOpts, - }; + }; var exe = Pkg.addExecutable("test", targ, platform, exeOptions); exe.addObjects(srcs); diff --git a/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/package.xdc b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/package.xdc new file mode 100644 index 000000000..0b85d5786 --- /dev/null +++ b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/package.xdc @@ -0,0 +1,6 @@ +/* + * ======== ti.net.wolfssl.tests.EK_TM4C1294XL.wolfcrypt.test ======== + * wolfcrypt Test Application + */ +package ti.net.wolfssl.tests.EK_TM4C1294XL.wolfcrypt.test [1, 0, 0] { +} diff --git a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/test.cfg b/tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/test.cfg similarity index 100% rename from tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/test.cfg rename to tirtos/packages/ti/net/wolfssl/tests/EK_TM4C1294XL/wolfcrypt/test/test.cfg diff --git a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/package.xdc b/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/package.xdc deleted file mode 100644 index c027f3203..000000000 --- a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/benchmark/package.xdc +++ /dev/null @@ -1,6 +0,0 @@ -/* - * ======== ti.net.wolfssl.tests.wolfcrypt.benchmark ======== - * wc_ Benchmark Application - */ -package ti.net.wolfssl.tests.wolfcrypt.benchmark { -} diff --git a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/package.xdc b/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/package.xdc deleted file mode 100644 index 8b5cc1db6..000000000 --- a/tirtos/packages/ti/net/wolfssl/tests/wolfcrypt/test/package.xdc +++ /dev/null @@ -1,6 +0,0 @@ -/* - * ======== ti.net.wolfssl.tests.wolfcrypt.test ======== - * wolfcrypt Test Application - */ -package ti.net.wolfssl.tests.wolfcrypt.test { -} diff --git a/tirtos/wolfssl.bld b/tirtos/wolfssl.bld index 5702b8340..696208ba0 100644 --- a/tirtos/wolfssl.bld +++ b/tirtos/wolfssl.bld @@ -32,21 +32,24 @@ */ var armOpts = " -ms "; -var gnuOpts = ""; +var gnuOpts = " -D_POSIX_SOURCE "; var iarOpts = ""; /* Uncomment the following lines to build libraries for debug mode: */ // Pkg.attrs.profile = "debug"; // armOpts += " -g -o0 "; -// gnuOpts += " -g "; +// gnuOpts += " -g -D_POSIX_SOURCE "; // iarOpts += " --debug "; var ccOpts = { - "ti.targets.arm.elf.M4F" : armOpts, + "ti.targets.arm.elf.M4" : armOpts, + "ti.targets.arm.elf.M4F" : armOpts, - "gnu.targets.arm.M4F" : gnuOpts, + "gnu.targets.arm.M4" : gnuOpts, + "gnu.targets.arm.M4F" : gnuOpts, - "iar.targets.arm.M4F" : iarOpts, + "iar.targets.arm.M4" : iarOpts, + "iar.targets.arm.M4F" : iarOpts, }; /* initialize local vars with those set in xdcpaths.mak (via XDCARGS) */ diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index a79e85062..399753ab3 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -363,7 +363,7 @@ time_t XTIME(time_t * timer) { time_t sec = 0; - sec = (time_t) MYTIME_gettime(); + sec = (time_t) Seconds_get(); if (timer != NULL) *timer = sec; @@ -1425,6 +1425,7 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap) cert->subjectCNLen = 0; cert->subjectCNEnc = CTC_UTF8; cert->subjectCNStored = 0; + cert->weOwnAltNames = 0; cert->altNames = NULL; #ifndef IGNORE_NAME_CONSTRAINTS cert->altEmailNames = NULL; @@ -1563,7 +1564,7 @@ void FreeDecodedCert(DecodedCert* cert) XFREE(cert->subjectCN, cert->heap, DYNAMIC_TYPE_SUBJECT_CN); if (cert->pubKeyStored == 1) XFREE(cert->publicKey, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); - if (cert->altNames) + if (cert->weOwnAltNames && cert->altNames) FreeAltNames(cert->altNames, cert->heap); #ifndef IGNORE_NAME_CONSTRAINTS if (cert->altEmailNames) @@ -2363,12 +2364,12 @@ int ValidateDate(const byte* date, byte format, int dateType) time_t ltime; struct tm certTime; struct tm* localTime; - struct tm* tmpTime; + struct tm* tmpTime = NULL; int i = 0; -#ifdef FREESCALE_MQX - struct tm mqxTime; - tmpTime = &mqxTime; +#if defined(FREESCALE_MQX) || defined(TIME_OVERRIDES) + struct tm tmpTimeStorage; + tmpTime = &tmpTimeStorage; #else (void)tmpTime; #endif @@ -2394,9 +2395,9 @@ int ValidateDate(const byte* date, byte format, int dateType) GetTime((int*)&certTime.tm_hour, date, &i); GetTime((int*)&certTime.tm_min, date, &i); GetTime((int*)&certTime.tm_sec, date, &i); - + if (date[i] != 'Z') { /* only Zulu supported for this profile */ - WOLFSSL_MSG("Only Zulu time supported for this profile"); + WOLFSSL_MSG("Only Zulu time supported for this profile"); return 0; } @@ -3416,6 +3417,8 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert) return ASN_PARSE_E; } + cert->weOwnAltNames = 1; + while (length > 0) { byte b = input[idx++]; @@ -5217,13 +5220,13 @@ static int SetValidity(byte* output, int daysValid) time_t ticks; time_t normalTime; struct tm* now; - struct tm* tmpTime; + struct tm* tmpTime = NULL; struct tm local; -#ifdef FREESCALE_MQX - /* for use with MQX gmtime_r */ - struct tm mqxTime; - tmpTime = &mqxTime; +#if defined(FREESCALE_MQX) || defined(TIME_OVERRIDES) + /* for use with gmtime_r */ + struct tm tmpTimeStorage; + tmpTime = &tmpTimeStorage; #else (void)tmpTime; #endif diff --git a/wolfcrypt/src/chacha.c b/wolfcrypt/src/chacha.c index 25e42a1d4..4e95bdbd0 100644 --- a/wolfcrypt/src/chacha.c +++ b/wolfcrypt/src/chacha.c @@ -78,10 +78,6 @@ int wc_Chacha_SetIV(ChaCha* ctx, const byte* inIv, word32 counter) { word32 temp[3]; /* used for alignment of memory */ - XMEMSET(temp, 0, 12); - - if (ctx == NULL) - return BAD_FUNC_ARG; #ifdef CHACHA_AEAD_TEST word32 i; @@ -92,12 +88,15 @@ int wc_Chacha_SetIV(ChaCha* ctx, const byte* inIv, word32 counter) printf("\n\n"); #endif + if (ctx == NULL) + return BAD_FUNC_ARG; + XMEMCPY(temp, inIv, 12); - ctx->X[12] = counter; /* block counter */ - ctx->X[13] = temp[0]; /* fixed variable from nonce */ - ctx->X[14] = temp[1]; /* counter from nonce */ - ctx->X[15] = temp[2]; /* counter from nonce */ + ctx->X[12] = LITTLE32(counter); /* block counter */ + ctx->X[13] = LITTLE32(temp[0]); /* fixed variable from nonce */ + ctx->X[14] = LITTLE32(temp[1]); /* counter from nonce */ + ctx->X[15] = LITTLE32(temp[2]); /* counter from nonce */ return 0; } @@ -115,14 +114,20 @@ int wc_Chacha_SetKey(ChaCha* ctx, const byte* key, word32 keySz) const word32* constants; const byte* k; +#ifdef XSTREAM_ALIGN + word32 alignKey[8]; +#endif + if (ctx == NULL) return BAD_FUNC_ARG; + if (keySz != 16 && keySz != 32) + return BAD_FUNC_ARG; + #ifdef XSTREAM_ALIGN - word32 alignKey[keySz / 4]; if ((wolfssl_word)key % 4) { WOLFSSL_MSG("wc_ChachaSetKey unaligned key"); - XMEMCPY(alignKey, key, sizeof(alignKey)); + XMEMCPY(alignKey, key, keySz); k = (byte*)alignKey; } else { @@ -152,20 +157,16 @@ int wc_Chacha_SetKey(ChaCha* ctx, const byte* key, word32 keySz) constants = sigma; } else { - /* key size of 128 */ - if (keySz != 16) - return BAD_FUNC_ARG; - constants = tau; } ctx->X[ 8] = U8TO32_LITTLE(k + 0); ctx->X[ 9] = U8TO32_LITTLE(k + 4); ctx->X[10] = U8TO32_LITTLE(k + 8); ctx->X[11] = U8TO32_LITTLE(k + 12); - ctx->X[ 0] = U8TO32_LITTLE(constants + 0); - ctx->X[ 1] = U8TO32_LITTLE(constants + 1); - ctx->X[ 2] = U8TO32_LITTLE(constants + 2); - ctx->X[ 3] = U8TO32_LITTLE(constants + 3); + ctx->X[ 0] = constants[0]; + ctx->X[ 1] = constants[1]; + ctx->X[ 2] = constants[2]; + ctx->X[ 3] = constants[3]; return 0; } diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c index fd853633c..9993dcc88 100755 --- a/wolfcrypt/src/sha256.c +++ b/wolfcrypt/src/sha256.c @@ -446,9 +446,9 @@ int wc_Sha256Update(Sha256* sha256, const byte* data, word32 len) if (sha256->buffLen == SHA256_BLOCK_SIZE) { int ret; - #if defined(LITTLE_ENDIAN_ORDER) + #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU) #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2) - if(!IS_INTEL_AVX1 && !IS_INTEL_AVX2) + if(!IS_INTEL_AVX1 && !IS_INTEL_AVX2) #endif ByteReverseWords(sha256->buffer, sha256->buffer, SHA256_BLOCK_SIZE); @@ -481,7 +481,7 @@ int wc_Sha256Final(Sha256* sha256, byte* hash) XMEMSET(&local[sha256->buffLen], 0, SHA256_BLOCK_SIZE - sha256->buffLen); sha256->buffLen += SHA256_BLOCK_SIZE - sha256->buffLen; - #if defined(LITTLE_ENDIAN_ORDER) + #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU) #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2) if(!IS_INTEL_AVX1 && !IS_INTEL_AVX2) #endif @@ -502,7 +502,7 @@ int wc_Sha256Final(Sha256* sha256, byte* hash) sha256->loLen = sha256->loLen << 3; /* store lengths */ - #if defined(LITTLE_ENDIAN_ORDER) + #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU) #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2) if(!IS_INTEL_AVX1 && !IS_INTEL_AVX2) #endif @@ -512,7 +512,7 @@ int wc_Sha256Final(Sha256* sha256, byte* hash) XMEMCPY(&local[SHA256_PAD_SIZE], &sha256->hiLen, sizeof(word32)); XMEMCPY(&local[SHA256_PAD_SIZE + sizeof(word32)], &sha256->loLen, sizeof(word32)); - + #if defined(FREESCALE_MMCAU) || defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2) /* Kinetis requires only these bytes reversed */ #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index d12ed3257..3ead47d88 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -181,172 +181,284 @@ typedef byte word24[3]; make sure to use at least one BUILD_SSL_xxx or BUILD_TLS_xxx is defined When adding cipher suites, add name to cipher_names, idx to cipher_name_idx + + Now that there is a maximum strength crypto build, the following BUILD_XXX + flags need to be divided into two groups selected by WOLFSSL_MAX_STRENGTH. + Those that do not use Perfect Forward Security and do not use AEAD ciphers + need to be switched off. Allowed suites use (EC)DHE, AES-GCM|CCM, or + CHACHA-POLY. */ -#if !defined(NO_RSA) && !defined(NO_RC4) - #if !defined(NO_SHA) - #define BUILD_SSL_RSA_WITH_RC4_128_SHA - #endif - #if !defined(NO_MD5) - #define BUILD_SSL_RSA_WITH_RC4_128_MD5 - #endif - #if !defined(NO_TLS) && defined(HAVE_NTRU) && !defined(NO_SHA) - #define BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA - #endif + +/* Check that if WOLFSSL_MAX_STRENGTH is set that all the required options are + * not turned off. */ +#if defined(WOLFSSL_MAX_STRENGTH) && \ + ((!defined(HAVE_ECC) && (defined(NO_DH) || defined(NO_RSA))) || \ + (!defined(HAVE_AESGCM) && !defined(HAVE_AESCCM) && \ + (!defined(HAVE_POLY1305) || !defined(HAVE_CHACHA))) || \ + (defined(NO_SHA256) && !defined(WOLFSSL_SHA384)) || \ + !defined(NO_OLD_TLS)) + + #error "You are trying to build max strength with requirements disabled." #endif -#if !defined(NO_RSA) && !defined(NO_DES3) - #if !defined(NO_SHA) - #define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA - #if !defined(NO_TLS) && defined(HAVE_NTRU) - #define BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA - #endif - #endif -#endif +#ifndef WOLFSSL_MAX_STRENGTH -#if !defined(NO_RSA) && !defined(NO_AES) && !defined(NO_TLS) - #if !defined(NO_SHA) - #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA - #if defined(HAVE_NTRU) - #define BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA - #endif - #endif - #if !defined (NO_SHA256) - #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256 - #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256 - #endif - #if defined (HAVE_AESGCM) - #define BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256 - #if defined (WOLFSSL_SHA384) - #define BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384 + #if !defined(NO_RSA) && !defined(NO_RC4) + #if !defined(NO_SHA) + #define BUILD_SSL_RSA_WITH_RC4_128_SHA + #endif + #if !defined(NO_MD5) + #define BUILD_SSL_RSA_WITH_RC4_128_MD5 + #endif + #if !defined(NO_TLS) && defined(HAVE_NTRU) && !defined(NO_SHA) + #define BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA #endif #endif - #if defined (HAVE_AESCCM) - #define BUILD_TLS_RSA_WITH_AES_128_CCM_8 - #define BUILD_TLS_RSA_WITH_AES_256_CCM_8 - #endif - #if defined(HAVE_BLAKE2) - #define BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256 - #define BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256 - #endif -#endif -#if defined(HAVE_CAMELLIA) && !defined(NO_TLS) - #ifndef NO_RSA - #if !defined(NO_SHA) - #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - #endif - #ifndef NO_SHA256 - #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 - #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 + #if !defined(NO_RSA) && !defined(NO_DES3) + #if !defined(NO_SHA) + #define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA + #if !defined(NO_TLS) && defined(HAVE_NTRU) + #define BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA + #endif #endif - #if !defined(NO_DH) + #endif + + #if !defined(NO_RSA) && !defined(NO_AES) && !defined(NO_TLS) + #if !defined(NO_SHA) + #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA + #if defined(HAVE_NTRU) + #define BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA + #endif + #endif + #if !defined (NO_SHA256) + #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256 + #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256 + #endif + #if defined (HAVE_AESGCM) + #define BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256 + #if defined (WOLFSSL_SHA384) + #define BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384 + #endif + #endif + #if defined (HAVE_AESCCM) + #define BUILD_TLS_RSA_WITH_AES_128_CCM_8 + #define BUILD_TLS_RSA_WITH_AES_256_CCM_8 + #endif + #if defined(HAVE_BLAKE2) + #define BUILD_TLS_RSA_WITH_AES_128_CBC_B2B256 + #define BUILD_TLS_RSA_WITH_AES_256_CBC_B2B256 + #endif + #endif + + #if defined(HAVE_CAMELLIA) && !defined(NO_TLS) + #ifndef NO_RSA #if !defined(NO_SHA) - #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA + #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA + #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA #endif #ifndef NO_SHA256 - #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 + #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 + #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 + #endif + #if !defined(NO_DH) + #if !defined(NO_SHA) + #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA + #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA + #endif + #ifndef NO_SHA256 + #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 + #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 + #endif #endif #endif #endif -#endif -#if !defined(NO_PSK) && !defined(NO_AES) && !defined(NO_TLS) - #if !defined(NO_SHA) - #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA - #define BUILD_TLS_PSK_WITH_AES_256_CBC_SHA - #endif - #ifndef NO_SHA256 - #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256 - #ifdef HAVE_AESGCM - #define BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256 + #if !defined(NO_PSK) && !defined(NO_AES) && !defined(NO_TLS) + #if !defined(NO_SHA) + #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA + #define BUILD_TLS_PSK_WITH_AES_256_CBC_SHA #endif - #ifdef HAVE_AESCCM - #define BUILD_TLS_PSK_WITH_AES_128_CCM_8 - #define BUILD_TLS_PSK_WITH_AES_256_CCM_8 - #define BUILD_TLS_PSK_WITH_AES_128_CCM - #define BUILD_TLS_PSK_WITH_AES_256_CCM - #endif - #endif - #ifdef WOLFSSL_SHA384 - #define BUILD_TLS_PSK_WITH_AES_256_CBC_SHA384 - #ifdef HAVE_AESGCM - #define BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384 - #endif - #endif -#endif - -#if !defined(NO_TLS) && defined(HAVE_NULL_CIPHER) - #if !defined(NO_RSA) - #if !defined(NO_SHA) - #define BUILD_TLS_RSA_WITH_NULL_SHA - #endif - #ifndef NO_SHA256 - #define BUILD_TLS_RSA_WITH_NULL_SHA256 - #endif - #endif - #if !defined(NO_PSK) - #if !defined(NO_SHA) - #define BUILD_TLS_PSK_WITH_NULL_SHA - #endif #ifndef NO_SHA256 - #define BUILD_TLS_PSK_WITH_NULL_SHA256 + #define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256 + #ifdef HAVE_AESGCM + #define BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256 + #endif + #ifdef HAVE_AESCCM + #define BUILD_TLS_PSK_WITH_AES_128_CCM_8 + #define BUILD_TLS_PSK_WITH_AES_256_CCM_8 + #define BUILD_TLS_PSK_WITH_AES_128_CCM + #define BUILD_TLS_PSK_WITH_AES_256_CCM + #endif #endif #ifdef WOLFSSL_SHA384 - #define BUILD_TLS_PSK_WITH_NULL_SHA384 - #endif - #endif -#endif - -#if !defined(NO_HC128) && !defined(NO_RSA) && !defined(NO_TLS) - #define BUILD_TLS_RSA_WITH_HC_128_MD5 - #if !defined(NO_SHA) - #define BUILD_TLS_RSA_WITH_HC_128_SHA - #endif - #if defined(HAVE_BLAKE2) - #define BUILD_TLS_RSA_WITH_HC_128_B2B256 - #endif -#endif - -#if !defined(NO_RABBIT) && !defined(NO_TLS) && !defined(NO_RSA) - #if !defined(NO_SHA) - #define BUILD_TLS_RSA_WITH_RABBIT_SHA - #endif -#endif - -#if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ - !defined(NO_RSA) - #if !defined(NO_SHA) - #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA - #endif - #if !defined (NO_SHA256) - #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - #if defined (HAVE_AESGCM) - #define BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - #if defined (WOLFSSL_SHA384) - #define BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + #define BUILD_TLS_PSK_WITH_AES_256_CBC_SHA384 + #ifdef HAVE_AESGCM + #define BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384 #endif #endif #endif -#endif -#if defined(HAVE_ANON) && !defined(NO_TLS) && !defined(NO_DH) && \ - !defined(NO_AES) && !defined(NO_SHA) - #define BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA + #if !defined(NO_TLS) && defined(HAVE_NULL_CIPHER) + #if !defined(NO_RSA) + #if !defined(NO_SHA) + #define BUILD_TLS_RSA_WITH_NULL_SHA + #endif + #ifndef NO_SHA256 + #define BUILD_TLS_RSA_WITH_NULL_SHA256 + #endif + #endif + #if !defined(NO_PSK) + #if !defined(NO_SHA) + #define BUILD_TLS_PSK_WITH_NULL_SHA + #endif + #ifndef NO_SHA256 + #define BUILD_TLS_PSK_WITH_NULL_SHA256 + #endif + #ifdef WOLFSSL_SHA384 + #define BUILD_TLS_PSK_WITH_NULL_SHA384 + #endif + #endif + #endif + + #if !defined(NO_HC128) && !defined(NO_RSA) && !defined(NO_TLS) + #define BUILD_TLS_RSA_WITH_HC_128_MD5 + #if !defined(NO_SHA) + #define BUILD_TLS_RSA_WITH_HC_128_SHA + #endif + #if defined(HAVE_BLAKE2) + #define BUILD_TLS_RSA_WITH_HC_128_B2B256 + #endif + #endif + + #if !defined(NO_RABBIT) && !defined(NO_TLS) && !defined(NO_RSA) + #if !defined(NO_SHA) + #define BUILD_TLS_RSA_WITH_RABBIT_SHA + #endif + #endif + + #if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ + !defined(NO_RSA) + + #if !defined(NO_SHA) + #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA + #endif + #if !defined(NO_SHA256) + #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 + #endif + #endif + + #if defined(HAVE_ANON) && !defined(NO_TLS) && !defined(NO_DH) && \ + !defined(NO_AES) && !defined(NO_SHA) + #define BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA + #endif + + #if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) + #ifndef NO_SHA256 + #define BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 + #ifdef HAVE_NULL_CIPHER + #define BUILD_TLS_DHE_PSK_WITH_NULL_SHA256 + #endif + #endif + #ifdef WOLFSSL_SHA384 + #define BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 + #ifdef HAVE_NULL_CIPHER + #define BUILD_TLS_DHE_PSK_WITH_NULL_SHA384 + #endif + #endif + #endif + + #if defined(HAVE_ECC) && !defined(NO_TLS) + #if !defined(NO_AES) + #if !defined(NO_SHA) + #if !defined(NO_RSA) + #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA + #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA + #endif + + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA + #endif /* NO_SHA */ + #ifndef NO_SHA256 + #if !defined(NO_RSA) + #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 + #endif + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 + #endif + + #ifdef WOLFSSL_SHA384 + #if !defined(NO_RSA) + #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 + #endif + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 + #endif + + #if defined (HAVE_AESGCM) + #if !defined(NO_RSA) + #define BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 + #if defined(WOLFSSL_SHA384) + #define BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 + #endif + #endif + + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 + + #if defined(WOLFSSL_SHA384) + #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 + #endif + #endif + #endif /* NO_AES */ + #if !defined(NO_RC4) + #if !defined(NO_SHA) + #if !defined(NO_RSA) + #define BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA + #define BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA + #endif + + #define BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA + #define BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA + #endif + #endif + #if !defined(NO_DES3) + #if !defined(NO_RSA) + #define BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA + #define BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA + #endif + + #define BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA + #define BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA + #endif + #endif + +#endif /* !WOLFSSL_MAX_STRENGTH */ + +#if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \ + !defined(NO_RSA) && defined(HAVE_AESGCM) + + #ifndef NO_SHA256 + #define BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 + #endif + + #ifdef WOLFSSL_SHA384 + #define BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + #endif #endif #if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) #ifndef NO_SHA256 - #define BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 - #ifdef HAVE_NULL_CIPHER - #define BUILD_TLS_DHE_PSK_WITH_NULL_SHA256 - #endif #ifdef HAVE_AESGCM #define BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 #endif @@ -355,93 +467,41 @@ typedef byte word24[3]; #define BUILD_TLS_DHE_PSK_WITH_AES_256_CCM #endif #endif - #ifdef WOLFSSL_SHA384 - #define BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 - #ifdef HAVE_NULL_CIPHER - #define BUILD_TLS_DHE_PSK_WITH_NULL_SHA384 - #endif - #ifdef HAVE_AESGCM - #define BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 - #endif + #if defined(WOLFSSL_SHA384) && defined(HAVE_AESGCM) + #define BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 #endif #endif -#if defined(HAVE_ECC) && !defined(NO_TLS) - #if !defined(NO_AES) - #if !defined(NO_SHA) - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - #endif - - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - #endif /* NO_SHA */ +#if defined(HAVE_ECC) && !defined(NO_TLS) && !defined(NO_AES) + #ifdef HAVE_AESGCM #ifndef NO_SHA256 - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - #define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 - #endif - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 - #endif - - #ifdef WOLFSSL_SHA384 - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - #define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 - #endif - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 - #endif - - #if defined (HAVE_AESGCM) - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - #define BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 - #if defined(WOLFSSL_SHA384) - #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - #define BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 - #endif - #endif - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 - - #if defined(WOLFSSL_SHA384) - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - #define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 + #ifndef NO_RSA + #define BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 #endif #endif - #if defined (HAVE_AESCCM) - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 - #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 - #endif - #endif /* NO_AES */ - #if !defined(NO_RC4) - #if !defined(NO_SHA) - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA - #define BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA + #ifdef WOLFSSL_SHA384 + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + #ifndef NO_RSA + #define BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 #endif - - #define BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - #define BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA #endif #endif - #if !defined(NO_DES3) - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - #define BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - #endif + #if defined(HAVE_AESCCM) && !defined(NO_SHA256) + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 + #define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 + #endif +#endif - #define BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - #define BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA +#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && !defined(NO_SHA256) + #ifdef HAVE_ECC + #define BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + #ifndef NO_RSA + #define BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + #endif + #endif + #if !defined(NO_DH) && !defined(NO_RSA) + #define BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 #endif #endif @@ -463,6 +523,7 @@ typedef byte word24[3]; #endif #if defined(BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256) || \ + defined(BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) || \ defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) || \ defined(BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256) #define BUILD_AESGCM @@ -499,25 +560,21 @@ typedef byte word24[3]; #ifdef HAVE_CHACHA #define CHACHA20_BLOCK_SIZE 16 - /* ChaCha - Poly AEAD suites */ - #if defined(HAVE_POLY1305) && !defined(NO_SHA256) - #if defined(HAVE_ECC) - #if !defined(NO_RSA) - #define BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - #endif - #define BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - #endif - #if !defined(NO_DH) && !defined(NO_RSA) - #define BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - #endif - #endif /* end of ChaCha - Poly AEAD suites */ #endif -#if defined(BUILD_AESGCM) || defined(HAVE_AESCCM) || \ - (defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) +#if defined(WOLFSSL_MAX_STRENGTH) || \ + defined(HAVE_AESGCM) || defined(HAVE_AESCCM) || \ + (defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) + #define HAVE_AEAD #endif +#if defined(WOLFSSL_MAX_STRENGTH) || \ + defined(HAVE_ECC) || !defined(NO_DH) + + #define HAVE_PFS +#endif + /* actual cipher values, 2nd byte */ enum { @@ -1657,6 +1714,9 @@ typedef struct Hashes { #ifdef WOLFSSL_SHA384 byte sha384[SHA384_DIGEST_SIZE]; #endif + #ifdef WOLFSSL_SHA512 + byte sha512[SHA512_DIGEST_SIZE]; + #endif } Hashes; @@ -2033,6 +2093,9 @@ typedef struct HS_Hashes { #ifdef WOLFSSL_SHA384 Sha384 hashSha384; /* sha384 hash of handshake msgs */ #endif +#ifdef WOLFSSL_SHA512 + Sha512 hashSha512; /* sha512 hash of handshake msgs */ +#endif } HS_Hashes; diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index afee66e47..a5e0a64d8 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -882,7 +882,6 @@ WOLFSSL_API int wolfSSL_SetTmpDH(WOLFSSL*, const unsigned char* p, int pSz, const unsigned char* g, int gSz); WOLFSSL_API int wolfSSL_SetTmpDH_buffer(WOLFSSL*, const unsigned char* b, long sz, int format); -WOLFSSL_API int wolfSSL_SetTmpEC_DHE_Sz(WOLFSSL*, unsigned short); #ifndef NO_FILESYSTEM WOLFSSL_API int wolfSSL_SetTmpDH_file(WOLFSSL*, const char* f, int format); #endif @@ -892,7 +891,6 @@ WOLFSSL_API int wolfSSL_CTX_SetTmpDH(WOLFSSL_CTX*, const unsigned char* p, int pSz, const unsigned char* g, int gSz); WOLFSSL_API int wolfSSL_CTX_SetTmpDH_buffer(WOLFSSL_CTX*, const unsigned char* b, long sz, int format); -WOLFSSL_API int wolfSSL_CTX_SetTmpEC_DHE_Sz(WOLFSSL_CTX*, unsigned short); #ifndef NO_FILESYSTEM WOLFSSL_API int wolfSSL_CTX_SetTmpDH_file(WOLFSSL_CTX*, const char* f, @@ -900,6 +898,9 @@ WOLFSSL_API int wolfSSL_CTX_SetTmpEC_DHE_Sz(WOLFSSL_CTX*, unsigned short); #endif #endif /* NO_DH */ +WOLFSSL_API int wolfSSL_SetTmpEC_DHE_Sz(WOLFSSL*, unsigned short); +WOLFSSL_API int wolfSSL_CTX_SetTmpEC_DHE_Sz(WOLFSSL_CTX*, unsigned short); + /* keyblock size in bytes or -1 */ /* need to call wolfSSL_KeepArrays before handshake to save keys */ WOLFSSL_API int wolfSSL_get_keyblock_size(WOLFSSL*); diff --git a/wolfssl/version.h b/wolfssl/version.h index ed8aadbf7..54e92ffc0 100644 --- a/wolfssl/version.h +++ b/wolfssl/version.h @@ -26,8 +26,8 @@ extern "C" { #endif -#define LIBWOLFSSL_VERSION_STRING "3.4.6" -#define LIBWOLFSSL_VERSION_HEX 0x03004006 +#define LIBWOLFSSL_VERSION_STRING "3.4.7" +#define LIBWOLFSSL_VERSION_HEX 0x03004007 #ifdef __cplusplus } diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index bcea930ab..7511cdfc4 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -387,6 +387,7 @@ struct DecodedCert { byte extNameConstraintSet; #endif /* IGNORE_NAME_CONSTRAINTS */ byte isCA; /* CA basic constraint true */ + byte weOwnAltNames; /* altNames haven't been given to copy */ byte extKeyUsageSet; word16 extKeyUsage; /* Key usage bitfield */ byte extExtKeyUsageSet; /* Extended Key Usage */ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index b2edbe206..23c19486d 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -105,18 +105,21 @@ /* Uncomment next line if building for uT-Kernel */ /* #define WOLFSSL_uTKERNEL2 */ +/* Uncomment next line if using Max Strength build */ +/* #define WOLFSSL_MAX_STRENGTH */ + #include -#ifdef IPHONE - #define SIZEOF_LONG_LONG 8 -#endif - - #ifdef WOLFSSL_USER_SETTINGS #include #endif +#ifdef IPHONE + #define SIZEOF_LONG_LONG 8 +#endif + + #ifdef COMVERGE #define THREADX #define HAVE_NETX @@ -337,7 +340,7 @@ #pragma diag_suppress=11 #endif - #include + #include #endif #ifdef EBSNET @@ -700,11 +703,11 @@ /* stream ciphers except arc4 need 32bit alignment, intel ok without */ -#ifndef XSTREAM_ALIGNMENT +#ifndef XSTREAM_ALIGN #if defined(__x86_64__) || defined(__ia64__) || defined(__i386__) - #define NO_XSTREAM_ALIGNMENT + #define NO_XSTREAM_ALIGN #else - #define XSTREAM_ALIGNMENT + #define XSTREAM_ALIGN #endif #endif @@ -720,7 +723,7 @@ #ifndef WOLFSSL_GENERAL_ALIGNMENT #ifdef WOLFSSL_AESNI #define WOLFSSL_GENERAL_ALIGNMENT 16 - #elif defined(XSTREAM_ALIGNMENT) + #elif defined(XSTREAM_ALIGN) #define WOLFSSL_GENERAL_ALIGNMENT 4 #elif defined(FREESCALE_MMCAU) #define WOLFSSL_GENERAL_ALIGNMENT WOLFSSL_MMCAU_ALIGNMENT @@ -748,6 +751,20 @@ #endif #endif +/* if desktop type system and fastmath increase default max bits */ +#ifdef WOLFSSL_X86_64_BUILD + #ifdef USE_FAST_MATH + #ifndef FP_MAX_BITS + #define FP_MAX_BITS 8192 + #endif + #endif +#endif + +/* If using the max strength build, ensure OLD TLS is disabled. */ +#ifdef WOLFSSL_MAX_STRENGTH + #undef NO_OLD_TLS + #define NO_OLD_TLS +#endif /* Place any other flags or defines here */